rails-html-sanitizer v1.6.1 has been released. This is a security update which addresses multiple CVEs in v1.6.0 when used with Rails >= 7.1 and HTML5 sanitization. Users are recommended to upgrade immediately.
The relevant release notes are reproduced below, for more information please read the linked GHSAs.
-
The dependency on Nokogiri is updated to v1.15.7 or >=1.16.8.
This change addresses CVE-2024-53985 (Possible XSS vulnerability with certain configurations of rails-html-sanitizer 1.6.0 · Advisory · rails/rails-html-sanitizer · GitHub).
Mike Dalessio
-
Disallowed tags will be pruned when they appear in foreign content (i.e. SVG or MathML content), regardless of the
prune:option value. Previously, disallowed tags were “stripped” unless the gem was configured with theprune: trueoption.The CVEs addressed by this change are:
- CVE-2024-53986 (Possible XSS vulnerability with certain configurations of rails-html-sanitizer 1.6.0 · Advisory · rails/rails-html-sanitizer · GitHub)
- CVE-2024-53987 (Possible XSS vulnerability with certain configurations of rails-html-sanitizer 1.6.0 · Advisory · rails/rails-html-sanitizer · GitHub)
Mike Dalessio
-
The tags “noscript”, “mglyph”, and “malignmark” will not be allowed, even if explicitly added to the allowlist. If applications try to allow any of these tags, a warning is emitted and the tags are removed from the allow-list.
The CVEs addressed by this change are:
- CVE-2024-53988 (Possible XSS vulnerability with certain configurations of rails-html-sanitizer 1.6.0 · Advisory · rails/rails-html-sanitizer · GitHub)
- CVE-2024-53989 (Possible XSS vulnerability with certain configurations of rails-html-sanitizer 1.6.0 · Advisory · rails/rails-html-sanitizer · GitHub)
Please note that we may restore support for allowing “noscript” in a future release. We do not expect to ever allow “mglyph” or “malignmark”, though, especially since browser support is minimal for these tags.
Mike Dalessio